IT Security News Blast 8-30-2017

Other areas growing quickly include disaster recovery and network operations. Like cybersecurity, these are important areas and require specialized skills that are not necessarily core to the business, Wagner said. Outsourcing is becoming more attractive to all organizations, the study said, but large organizations are growing IT outsourcing budgets the fastest. At the median, large organizations have increased the percentage of their IT budgets spent on outsourcing from 6.3 percent to 8.7 percent.

Normally when we are considering cyber risk, we ponder threats such as malware, hackers and such. The vendor to which we have outsourced a service like our web site, customer service or our payroll processing hardly seem to be worth considering in the same way. However, once we partner with these vendors, we will often give them unfettered access to our IT systems and data. […] Thus, a data breach at the vendor can be just as damaging as one at your company’s premises.

And despite the omnibus HIPAA Final Rule on Privacy & Security that HHS posted in Jan. 2013, which brought new safeguards to protect ePHI, healthcare CIOs and CISOs must be constantly on the ball, making adjustments to their cybersecurity plans to ensure they don’t run afoul of HIPAA rules. That is increasingly difficult in the post-omnibus era of more sophisticated attacks, most notably ransomware, ransomworms and whatever comes next. Take the latest ransomware variant Defray, for instance, which is specifically targeting healthcare and education sectors.

The agency is instructing patients with certain implantable cardiac pacemakers from St. Jude Medical – now owned by Abbott Laboratories – to visit their physicians for firmware updates to address cyber vulnerabilities that can potentially be remotely exploited by hackers and that pose safety concerns. Approximately 465,000 such devices are in use in the U.S., an Abbott spokeswoman tells Information Security Media Group. She did not immediately have information about how many of these devices are used outside the U.S.

These incidents are hugely disruptive to maritime businesses, but truly catastrophic scenarios might involve a hacker attempting to sabotage or even destroy a ship itself, through targeted manipulation of its systems. Could that happen? Could, for example, a determined and well-resourced attacker alter a vessel’s systems to provoke a collision? “It’s perfectly feasible,” says Mr Saunders. “We’ve demonstrated proof-of-concept that that could happen.”

On a warm Phoenix night five years ago, Aaron Cashatt walked down the red-carpeted hall of the second floor of a Marriott hotel, trying to move casually despite the adrenaline and methamphetamine surging through his bloodstream. […] Cashatt didn’t have a keycard. Instead, he reached underneath the lock on the door until his finger found a small, circular port and inserted the plug of his device. Then he held a frayed wire coming off the board to one end of the battery, completing an electric circuit. Instantly, the lock whirred as its bolt retracted, and a green light flashed above the door handle.

Cyber experts were blocked in their push to patch voting systems in 2016

The recommendations were derailed amid an awkward, often unspoken power struggle between, on one end, federal agencies, which have more resources to combat cyber threats; and on the other, states and localities, which hold absolute constitutional authority over elections. The states vigorously defend their territory, though they can be naive about cyber risks. Many have insisted their systems are secure. For their part, federal officials have hesitated to encroach on that turf with the election just around the corner. Both sides showed a “lack of seriousness” about voting security issues that spells trouble for protecting the nation’s jumble of election machinery against increasingly sophisticated threats[.]

After several criticisms of ICOs and cryptocurrencies, from facilitating black market activities and cyber crime to being part of ponzi schemes, ICOs may be back in the firing line. […] An Initial Coin Offering (ICO) is a method of crowdfunding to facilitate the launch of a new cryptocurrency or tech development. A crowd-sale of a crypto asset is a term one could use. […] The unregulated nature of an ICO lends itself well to companies and small start-ups wanting to avoid the tenuous, overbearing and restrictive regulations of IPOs.

As a completely modern and infinitely complex problem with few precedents, our national security must constantly be on the cutting edge and equipped to keep up with the latest evolving cyber threats. One of the authors of this letter is DJ Patil, White House Chief Data Scientist, which is a position that didn’t even exist until the Obama administration. So it’s beyond disturbing to see America move backward in this regard (and many others).

Net neutrality comment deadline is tomorrow; 21.9 million comments in so far

You have until midnight Eastern Time tomorrow night (Wednesday) to file comments on the Federal Communications Commission plan to deregulate broadband service and roll back net neutrality rules. There are 21.9 million filings on the FCC’s “Restoring Internet Freedom” docket already, blowing away the four million received before the 2015 decision that imposed net neutrality rules. Many comments are apparently from spam bots and form letters, but Chairman Ajit Pai’s proposal to undo net neutrality rules has received massive attention.

The Defense Advanced Research Projects Agency is gathering proposals for software that can automatically neutralize botnets, armies of compromised devices that can be used to carry out attacks, according to a new broad agency announcement. The “Harnessing Autonomy for Countering Cyber-adversary Systems” program is also looking for systems that can exploit vulnerabilities in compromised networks to protect those networks, making cyber adversaries—both state and non-state—less effective.

UK infrastructure failing to meet the most basic cybersecurity standards

In total, 163 responses1 were received, with 63 organisations (39 per cent) admitting to not having completed the “10 Steps” programme. Among responses from NHS Trusts, only 58 per cent had completed the scheme. In the event of a breach, critical infrastructure organisations could be liable for fines of up to £17m, or 4 per cent of global turnover, under the government’s proposals to implement the EU’s Network and Information Systems (NIS) directive from May 2018.

DHS cyber chief says new NIST partnership is aimed at building security into ‘smart cities’

The fear of non-state actors launching crippling cyberattacks against critical infrastructures is a fantasy. Our most dangerous opponents are other nation states. They have the capabilities, the resources, and the intent to use cyber capabilities to attack the United States and its allies. In this, the United States has four opponents — Russia, China, Iran and North Korea, all of which have used some kind of cyberattacks against us. These opponents do not seek “cyber catastrophe.” They have used cyberespionage, coercion, and crime to advance their aims (the most important of which is changing the international order in ways that favor them and undercut democracy).

[The] Department of Homeland Security (DHS) issued a warning Monday to watch out for “malicious cyber activity” trying to take advantage of people’s charitable giving after the hurricane. “Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source,” the DHS warning said. “Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites.”

Man in jail 2 years for refusing to decrypt drives. Will he ever get out?

A now-fired Philadelphia cop has been behind bars for almost two years for refusing to decrypt hard drives that authorities found at his residence as part of a federal child-porn investigation. On Thursday, his lawyers are set to ask a federal judge to release him while he appeals the reason for his confinement to the Supreme Court. If the justices take the case, it would be the first time they weighed the constitutionality of whether forcing somebody to decrypt hardware amounts to a Fifth Amendment violation.

The site’s removal’s responsibility was claimed by the Lawyers’ Committee for Civil Rights Under Law. According to Kristen Clarke, the executive director of the committee, this website was being used to “promote racially-motivated violence and hate,” therefore, the committee ignited efforts to force Network Solutions to shut down this website. […] According to TechCrunch findings, the site was a unique sort of a platform since it was widely regarded as the Murder Capital of the Internet,” by the Southern Poverty Law Center (SPLC). By the year 2014, more than a hundred murders were attributed to the site’s members and users.

Mainly targeting IP cameras, DVRs and routers that haven’t been properly secured, such botnets attempt to ensnare devices and use them for malicious purposes such as distributed denial of service (DDoS) attacks. Compromised IoT products are also used to scan the Internet for other vulnerable devices and add them to the botnet. […] According to him, the device used the root: xc3511 login pair and recorded a total of 1254 login attempts from different IPs over a period of 45 hours. Basically, someone or something would login to it every 2 minutes using the correct credentials, he says.

Researchers Figure Out How to Blind ISPs from Smart Home Device Traffic

The researchers, a team from Princeton University, published a paper on their work called “Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic.” In it, they suggest that a relatively straightforward technique known as traffic rate shaping is a solid strategy for mitigating privacy risks posed by these devices. […] The researchers propose traffic shaping through independent link padding which shapes traffic rates to a constant size, eliminating the ability to snoops to infer activity from spikes and certain traffic patterns.

The database has been verified by Troy Hunt of HaveIbeenPwned (HIBP) who wrote a blog post explaining that 27 percent of the leaked accounts were already part of HIBP and predominantly from data breaches such as LinkedIn, Anti Combo list, MySpace, and Dropbox. “It took HIBP 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location. It’s a mind-boggling amount of data,” said Hunt.

The passwords were apparently hashed. The statement merely says, “your password has not been stored in plain text,” without giving any indication on how it was stored. However, it warns that if the user’s password “is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services.” This is an understatement, and would more accurately be stated as, ‘unless your password is particularly complicated, it will be discovered by a third-party in a very short period of time.’

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.